Subscribe via e-mail: 
Is cloud computing secure? Pro and contra cloud security
By Michael Pietroforte | 2 Comments | Permalink | Trackback | Previous | Next^I have stumbled across quite a few articles discussing the security of cloud computing lately. Opponents of cloud computing usually put forward that many organizations won’t outsource their IT infrastructure to the cloud because of security concerns. Cloud supporters often downplay these concerns and some even believe that cloud computing is more secure than on-premise computing. I think that both sides have good arguments. In this post, I have summarized all of the arguments that I am aware of.
Alistair Croll and Petko and D. Petkov claim that cloud computing has equal or even better security than on-premise computing. Here are their arguments and some of my own:
Fewer humans: Cloud providers employ fewer humans. Most security breaches are caused by humans.
External admins: Employees of your own organization are more prone to espionage than are the cloud operators because spies can target them more directly.
Better security tools: Cloud providers can afford the best security tools. Your company’s security infrastructure might be no match for a large cloud provider’s defenses.
Better security experts: Cloud providers can afford the best security experts. In your own organization, you might not even have security specialists. Ordinary admins are often too busy to take care of security.
Well-thought-out security infrastructure: Cloud providers have a high interest in security. If it becomes public that they have a security hole, it will cost them a lot of money, even though there may have been no security breach. Therefore, they have to invest more in security than do ordinary companies.
Enforced security: Cloud providers can impose their security policy on their customers. Lazy or ignorant admins in your own organization can’t circumvent it.
I think these are all good arguments. However, there are also counterarguments. Kate Bevan and Bradford Knowlton are skeptical when it comes to cloud security. I have added some of my own arguments:
External people: People outside the organization have access to sensitive data. Can you be sure that a disgruntled cloud operator won’t sell your organization’s data to a competitor?
Browser vulnerabilities: Cloud services are often used and managed with web browsers. Because browsers are a major target for hackers, they are the weak point in any security strategy.
Vulnerable APIs: The employees of your organizations have to access and manage the cloud remotely via APIs. These APIs enlarge the attack surface of your organization, since you wouldn’t need them if you kept your data behind your firewall. If an API of a cloud provider has a vulnerability, it might expose your organization’s data to anyone who gets access to the corresponding exploit.
Monoculture: Large datacenters are like large cornfields. Monocultures are more vulnerable to pests than are smaller units.
Interesting target for hackers: Cloud providers are an interesting target for hackers. Once they are in the datacenter, they have access to not only one but hundreds or even thousands of organizations. The more hackers who attack a datacenter, the more likely it is that they will get in, sooner or later.
Terrorist attacks: Large datacenters are also interesting targets for terrorists. Destroying a big data center that hosts the IT infrastructure of many important companies is probably more “effective” than crushing a skyscraper.
Damage limitation: If there is a security breach, do you think that the cloud provider will inform you? Will they give you detailed information about the incidents, so you will know what data have been stolen or manipulated? What about forensics? Can you get access to the cloud provider’s machines that are also used by other companies?
I think the main reason why many have security concerns about cloud computing is because they have no real insights and no control of the security infrastructure of the cloud operator. They have to rely on the expertise and reliability of people they have never met. Can you also trust the cloud provider’s cleaning lady? I think, to a certain degree, this is not a really a rational argument because there are ways to secure data outside your company’s buildings using encryption technology.
However, we are mostly irrational beings. Thus, I think security will always be the main the reason why many organization will keep their sensitive data within their own walls, no matter how much the cloud providers swear by their security.
Did I forget arguments for or against cloud security? What is your view? Do you have concerns about placing your organization’s sensitive data into the hands of third parties or do you think that the cloud opponents are just overreacting?
Windows in the cloud…Windows and Cloud, two words that don’t mix. Linux and cloud…good, osx and cloud…good, unix and cloud…good. Windows and cloud=disaster at some level. Obviously remains to be seen, so Microsoft…let’s see it.
OS X and cloud? How is that? As to Windows, Microsoft is always too late for the party. This is the privilege of star guests.